CVE-2026-21258 Overview
CVE-2026-21258 is an information disclosure vulnerability in Microsoft Office Excel caused by improper input validation [CWE-20]. An unauthorized attacker can disclose sensitive information locally by convincing a user to open a crafted Excel file. The flaw affects multiple Microsoft Office distributions, including Microsoft 365 Apps, Excel 2016, Office 2019, Office Long Term Servicing Channel (LTSC) 2021 and 2024, and Office Online Server.
Microsoft assigned this vulnerability a CVSS 3.1 base score of 5.5 (MEDIUM). Exploitation requires user interaction, typically opening a malicious document delivered through phishing or file shares.
Critical Impact
Successful exploitation enables an attacker to read sensitive content from memory or file context, exposing data the user did not intend to share.
Affected Products
- Microsoft 365 Apps (Enterprise, x86 and x64)
- Microsoft Excel 2016, Microsoft Office 2019
- Microsoft Office LTSC 2021 and 2024 (Windows and macOS), Microsoft Office Online Server
Discovery Timeline
- 2026-02-10 - CVE-2026-21258 published to the National Vulnerability Database (NVD)
- 2026-02-11 - Last updated in NVD database
Technical Details for CVE-2026-21258
Vulnerability Analysis
The vulnerability stems from improper input validation when Microsoft Excel parses spreadsheet content. Excel fails to adequately validate fields within a crafted file before processing them, which allows the application to expose memory or file content that should remain isolated from the user session.
The attack vector is local and requires user interaction. A victim must open the malicious file in a vulnerable Excel build. No elevated privileges are required, and the scope is unchanged. Confidentiality impact is high, while integrity and availability are not affected.
The vulnerability is classified under [CWE-20: Improper Input Validation]. Microsoft has not published low-level technical details. According to the Microsoft Security Update Guide, no public proof-of-concept exploit exists, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Root Cause
The root cause is missing or insufficient validation of structured input during Excel file parsing. When malformed structures are processed, the application reads beyond expected boundaries or surfaces uninitialized data, leaking information to the document context.
Attack Vector
An attacker crafts a malicious Excel workbook and delivers it through email, file-sharing services, or web download. When the targeted user opens the file in a vulnerable Excel client, the parser triggers the disclosure condition. The leaked data can then be exfiltrated through embedded formulas, external references, or visible cell content depending on the exploitation path.
No verified proof-of-concept code is available. Refer to the Microsoft Security Update Guide for CVE-2026-21258 for vendor-provided technical context.
Detection Methods for CVE-2026-21258
Indicators of Compromise
- Unsolicited .xlsx, .xls, or .xlsm attachments from external senders, especially those containing unusual external references or DDE/formula content.
- Excel processes (EXCEL.EXE) spawning network connections shortly after opening a document, indicating possible exfiltration of disclosed data.
- Office telemetry showing repeated parsing exceptions or document recovery events tied to a specific workbook.
Detection Strategies
- Inspect inbound email and file gateways for Office documents with malformed structures and quarantine for sandbox detonation.
- Hunt for Excel processes making outbound HTTP, SMB, or WebDAV connections to non-corporate destinations.
- Correlate document-open events with subsequent child-process activity or unusual file reads in user profile directories.
Monitoring Recommendations
- Enable Microsoft Defender for Office 365 Safe Attachments or an equivalent attachment sandboxing solution.
- Forward Office telemetry, Sysmon ProcessCreate and NetworkConnect events, and EDR logs to a centralized analytics platform for correlation.
- Track Office build versions across the estate and alert on hosts running pre-patch builds after the Microsoft update is deployed.
How to Mitigate CVE-2026-21258
Immediate Actions Required
- Apply the security update referenced in the Microsoft Security Update Guide for CVE-2026-21258 to all affected Office installations.
- Inventory endpoints running Microsoft 365 Apps, Excel 2016, Office 2019, and Office LTSC 2021/2024 to confirm patch coverage.
- Reinforce user awareness training on opening unsolicited spreadsheet attachments.
Patch Information
Microsoft has published guidance and updates through the Microsoft Security Update Guide. Administrators should deploy the corresponding cumulative update for each affected channel, including click-to-run updates for Microsoft 365 Apps and MSI-based updates for Office 2016, 2019, LTSC 2021, and LTSC 2024. Office Online Server requires the server-side patch from the same advisory.
Workarounds
- Enable Protected View and Office Application Guard so untrusted documents open in an isolated container.
- Block macros and external content in files originating from the internet via Group Policy or Intune configuration profiles.
- Restrict opening of Excel files from untrusted sources at the email gateway and web proxy until patches are fully deployed.
# Example: Enforce Protected View and block macros from the internet via Group Policy registry keys
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableAttachmentsInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security" /v BlockContentExecutionFromInternet /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
